Is it really impossible to force an Intune sync from the command line?

Dr_Snooze 

I found out a way to do it. Triggering the ‘PushLaunch’ scheduled task doesn’t seem to actually perform a MDM sync like when the user selects ‘Sync’ in Company Portal settings or the ‘Access Work or School’ page in settings, as you’ve said. At least not when the user is only a standard user (ie, not an admin).

After some digging, I found that performing the command found in the actions part of the ‘Schedule #3’ Intune scheduled task. This seemed to be the only way I could get a proper MDM sync to work in a way that can be run as an administrator (ie, via PDQ or RMM) with the signed in and licenced user being a standard user.

Because the enrollment ID is different per machine, I added a one-liner to pull the ID from the Scheduled Task path on the machine and then use it in the deviceenroller.exe command.

The script:

$EnrollmentID = Get-ScheduledTask | Where-Object { $_.TaskPath -like "*Microsoft*Windows*EnterpriseMgmt\*" } | Select-Object -ExpandProperty TaskPath -Unique | Where-Object { $_ -like "*-*-*" } | Split-Path -Leaf

Start-Process -FilePath "C:\Windows\system32\deviceenroller.exe" -Wait -ArgumentList "/o $EnrollmentID /c /b"

I hope it helps someone else out.

To confirm this, run the script against a machine with task manager open and you can see the omadmclient.exe process running, just as it does when using the ‘Sync’ GUI button. This doesn’t happen when restarting IME or triggering the ‘PushLaunch’ task (not when the user is a standard user anyway).